Bitwarden's CLI NPM package was hijacked and used to spread credential stealer malware.

ifin@infosec.exchange

Bitwarden's CLI NPM package was hijacked and used to spread credential stealer malware. This is related to the previous Checkmarx compromise.

We'll be updating this thread as always with new information. Come join the effort!

TeamPCP Campaign Spreads to npm via a Hijacked Bitwarden CLI

From: Kill Chain: The root package.json advertises @bitwarden/cli version 2026.4.0, while the embedded application metadata in build/bw.js still references 2026.3.0. That mismatch strongly suggests the malicious pac…

IFIN (discourse.ifin.network)